Broken Object Level Authorization

Broken Object Level Authorization (BOLA), also known as Insecure Direct Object Reference (IDOR), is a vulnerability that lets attackers access unauthorized resources by manipulating Object IDs.

Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request. Object IDs can be anything from sequential integers, UUIDs, or generic strings. Regardless of the data type, they are easy to identify in the request target (path or query string parameters), request headers, or even as part of the request payload. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access. The server response is usually enough to understand whether the request was successful.

Vulnerable Code

The below code snippet is vulnerable to broken object-level authorization. It uses a user's username directly from the request URL to query the database without implementing any additional authorization checks to verify if the requesting user has permission to access the specified user's data. This flaw can allow an attacker possessing a valid JWT token to access any user's information by simply changing the username parameter in the request path. 

@router.get("/users/{username}", dependencies=[Depends(JWTBearer())])
async def get_user_by_username(username: str, db: Session = Depends(get_db)):
    user = await get_user_by_username_handler(db, username)
    if user:
        return JSONResponse(status_code=200, content={"status": "success", "message": "User retrieved successfully", "data": jsonable_encoder(user)})
    return JSONResponse(status_code=404, content={"status": "error", "message": "User not found"})
async def get_user_by_username_handler(db: Session, username: str):
    '''
    Get user by username
    '''
    return db.query(UserModel).filter(UserModel.username == username).first()

Vulnerable APIs

(Customer) Get User by Username

https://apidoc.fvb.vchan.in/#1632033e-c60b-463e-bc86-8f2ea2c63531

(Customer) Get Accounts by Username

https://apidoc.fvb.vchan.in/#eeef80ab-865a-4505-9f7e-b64751b2a57a

(Admin) Get User

https://apidoc.fvb.vchan.in/#c641a5f1-4a3f-4a56-98c5-a8a1db5b92f0

(Admin) Delete User

https://apidoc.fvb.vchan.in/#61151994-3d0e-475e-9bd6-9f0e08e0f3e2

Compliance

  • OWASP: API1:2023

  • PCI: 6.5.8

  • GDPR: Article-32

  • SOC2: CC1

  • ISO27001: A.9.4

  • NIST: SP800-53

CWE & CVSS

  • CWE: 863

  • CVSS VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C

  • CVSS SCORE: 5.1

PreviousFirst Vulnerable BankNextAuthenticated Route Bypass

Last updated